You can configure a context-aware or an application-based firewall rule by defining layer 7 service objects. A layer 7 context-aware firewall rule can intelligently inspect the content of the packets.

This example explains the process of creating a layer 7 firewall rule with APP_HTTP service object. This firewall rule allows HTTP requests from a virtual machine to any destination. After creating the firewall rule, you initiate some HTTP sessions on the source VM that passes this firewall rule, and turn on flow monitoring on a specific vNIC of the source VM. The firewall rule detects an HTTP application context and enforces the rule on the source VM.

Prerequisites

You must log in to the vSphere Web Client with an account that has any one of the following NSX roles:
  • Security administrator
  • NSX administrator
  • Security engineer
  • Enterprise administrator
Note: Make sure that NSX Data Center for vSphere 6.4 or later is installed.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > Security > Firewall.
  2. (Optional) Add a firewall rule section to group context-aware firewall rules.
  3. Click Add Rule.
  4. Create the context-aware firewall rule.
    1. Enter a rule name to identify this rule. For example, enter L7_Rule_HTTP_Service.
    2. In the Source column, click the Edit (Edit icon in HTML5.) icon.
      The Specify Source page opens.
    3. From the Object Type drop-down menu, select Virtual Machine.
    4. From the Available Objects list, select the virtual machine. Move this object to the Selected Objects list, and then click Save.
    5. In the Destination column, retain the default value as Any.
    6. In the Service column, click the Edit (Edit icon in HTML5.) icon.
      The Specify Service page opens.
    7. From the Object Type drop-down menu, select Services.
    8. From the Available Objects list, select App_HTTP service. Move this service to the Selected Objects list, and then click Save.
    9. Make sure that the firewall rule is enabled, and the rule action is set to Allow.
    10. Click Publish to publish the firewall rule configuration.
    The following figure shows the firewall rule that you created.
    Figure 1. Context-Aware Firewall Rule Definition
    Figure shows the context-aware firewall rule definition.
  5. Log in to the console of your source VM and initiate the wget Linux command to download files from the web using HTTP.
  6. On the vNIC of the source VM, turn on live flow monitoring to monitor traffic flows on the source VM.
    1. Navigate to Tools > Flow Monitoring.
    2. Select a particular vNIC on the source VM. For example, select l2vpn-client-vm-Network adapter 1.
    3. Click Start to view the flow monitoring data.
  7. In the following figure, the flow monitoring data shows that the firewall rule has detected the application (HTTP) context. Rule 1005 is enforced on source VM (10.161.117.238) and traffic flows to destination IP addresses 151.101.129.67 and 151.101.53.67.
    Figure 2. Traffic Flows on Source VM
    Figure shows traffic flows on the vNIC of source VM when rule action is set to Allow.
  8. Return to the Firewall page, and change the rule action to Block.
  9. Go to the console of the source VM and run the wget command again.
    Observe that the HTTP requests are now blocked on the source VM. You should see an error in the VM console that says something like this: 
    HTTP request sent, awaiting response ... Read error (Connection reset by peer) in headers
Retrying.
    The following figure shows a flow with the application (HTTP) context detected and blocked on the vNIC of the source VM (10.161.117.238).
    Figure 3. Traffic Flows on Source VM
    Traffic flows on the vNIC of source VM when the context-sensitive rule action is set to block.

What to do next

To know about other scenarios where you can use context-aware firewall rules, see Context-Aware Firewall Scenarios.